CVE-2025-70963

Vulnerability

Description Gophish versions 0.12.1 and earlier suffer from an incorrect access control vulnerability. The administrative dashboard injects the user's long-lived API key into a JavaScript object embedded in the HTML page on every login [1][3]. This makes permanent API credentials accessible to any script running in the browser context.

Exploitation

An attacker who can execute arbitrary JavaScript in the administrator's browser—for example, through a cross-site scripting (XSS) attack, malicious browser extension, or compromised web page—can read the API key directly from the DOM [3]. The exposure occurs on every login, so even after regenerating the key, the new key is immediately re-exposed.

Impact

The API key grants privileged access to the Gophish REST API and remains valid outside the web session. An attacker obtaining it can permanently access the application's API, even after the administrator logs out or rotates credentials [3].

Mitigation

As of the latest available version, no official patch has been released. The issue is tracked in the Gophish GitHub repository [3]. Suggested fixes include not embedding long-lived credentials in client-side code and using short-lived session tokens for UI operations. Users should consider avoiding API key usage until a fix is applied.